[unisog] Pen testers after my own heart...

Jordan Wiens numatrix at ufl.edu
Mon Jun 12 19:18:27 GMT 2006

Gary Flynn wrote:
> Here is an article about a similar test using CDs instead
> of USB keys:
> http://software.silicon.com/security/0,39024655,39156503,00.htm
> And another article covering the issue in more detail:
> http://www.csoonline.com/read/050106/ipods.html

That second article is wrong.  It claims that:

"But there is another important threat that portable storage poses to 
today's information systems. Plug an iPod or USB stick into a PC running 
Windows and the device can literally take over the machine and search 
for confidential documents, copy them back to the iPod or USB's internal 
storage, and hide them as "deleted" files."

That is just plain incorrect.  From:

Q: What must I do to trigger Autorun on my USB storage device?
The Autorun capabilities are restricted to CD-ROM drives and fixed disk 
drives. If you need to make a USB storage device perform Autorun, the 
device must not be marked as a removable media device and the device 
must contain an Autorun.inf file and a startup application.

The removable media device setting is a flag contained within the SCSI 
Inquiry Data response to the SCSI Inquiry command. Bit 7 of byte 1 
(indexed from 0) is the Removable Media Bit (RMB). A RMB set to zero 
indicates that the device is not a removable media device. A RMB of one 
indicates that the device is a removable media device. Drivers obtain 
this information by using the StorageDeviceProperty request.

ipods and nearly all usb sticks are all classified as removable media 
and this you cannot enable autorun without some other program already 
running on the PC (heck, that's why ipods require the ipodagent.exe 
running on the host PC to detect the ipod insertion).

Jordan Wiens, CISSP
UF Security Engineer

More information about the unisog mailing list